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ABSTRACT 

Unconditionally secure bit commitment and coin flipping are 
known to be impossible in the classical world. Bit commit- 
ment is known to be impossible also in the quantum world. 
We introduce a related new primitive - quantum bit escrow. 
In this primitive Alice commits to a bit b to Bob. The com- 
mitment is binding in the sense that if Alice is asked to reveal 
the bit, Alice can not bias her commitment without having 
a good probability of being detected cheating. The commit- 
ment is sealing in the sense that if Bob learns information 
about the encoded bit, then if later on he is asked to prove 
he was playing honestly, he is detected cheating with a good 
probability. Rigorously proving the correctness of quantum 
cryptographic protocols has proved to be a difficult task. We 
develop techniques to prove quantitative statements about 
the binding and sealing properties of the quantum bit escrow 
protocol. 

A related primitive we construct is a quantum biased coin 
flipping protocol where no player can control the game, i.e., 
even an all-powerful cheating player must lose with some 
constant probability, which stands in sharp contrast to the 
classical world where such protocols are impossible. 
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General Terms 

Quantum cryptography, Quantum coin tossing. Quantum 
bit commitment 

1. INTRODUCTION 

We start with an informal definition of a (very) weak variant 
of bit commitment. In this variant there is flrst a commit- 
ment stage in which Alice commits a bit b to Bob. Later 
on there is a reveal stage in which Alice reveals the bit and 
Bob proves he played honestly. The protocol should be bind- 
ing in the sense that if Alice changes her mind at revealing 
time then Bob has a good probability of catching her cheat- 
ing, and sealing in the sense that if Bob learns information 
about the committed bit then Alice has a good probability 
of catching him cheating. Thus, the fundamental (and only) 
difference between this primitive and bit commitment is that 
in bit commitment Bob can not learn from the encoding any 
information about b, while in the weak primitive Bob can 
learn a lot of information about the encoded bit, but if he 
does so Alice catches him cheating with a good probability. 

Definition 1. (Weak bit commitment) A weak bit com- 
mitment protocol is a quantum communication protocol be- 
tween Alice and Bob which consists of two stages, the de- 
positing stage and the revealing stage, and a final classical 
declaration stage at which both Alice and Bob each declare 
"accept" or "reject". The following requirements should 
hold. 

• // both Alice and Bob are honest, then at depositing 
stage Alice decides on a bit, b. She then communicates 
with Bob, where Alice's protocol depends on b. At re- 
vealing stage Alice and Bob communicate, and during 
this stage Alice reveals to Bob the deposited bit b. Both 
Alice and Bob accept. 

• (Binding) If Alice tries to change her mind about the 
value of b, then there is non zero probability that an 
honest Bob would reject. 

• (Sealing) If Bob attempts to learn information about 
the deposited bit b, then there is non zero probability 
that an honest Alice would reject. 

Later on, we will give more formal definitions of "Alice 
changing her mind" and "Bob learning information", and 
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we will quantify the degree to which a protocol is binding 
or sealing. 

Now, consider the following protocol: 

Protocol 1. (Bit Escrow) For an angle a € [— tt, tt] de- 
fine <j)a — cos(a)|0) +sin(a)|l). Let, 

i>-e b^O,x = 

t>g b — 0,X = 1 

t>^^0 b — l,x — 
i>^+g b=l,x = l 

for some fixed angle 9 < ^, say, 6 = ^. See Figure [J. 
To deposit bit b, Alice picks a random x £ {0, 1}, and sends 
(j)h,x to Bob. Later on, one of the following two challenges 
is issued: 

• Either Alice is asked to reveal the deposited bit, and 
then Alice sends the classical bits h and x to Bob ^. 
Bob measures (j> according to the basis {4>o,x,4'^,x} and 
verifies that the result of the measurement is (f)b,x ■ 

• Or Bob is asked to return the deposited qubit, he 
returns a qubit q, and Alice measures it in the 
{4'o,x, (t>i,x} basis and verifies that it is (pt.x- 

We rigorously define and prove: 

Theorem 1. Protocol^ has the following properties: 

• The deposited qubit does not reveal, in an information 
theoretic sense, all the information about the deposited 
bit b. 

• (Binding) When Bob asks Alice to reveal the classical 
bit b that she deposited, if Alice influences the value of 
b with advantage e then she is detected cheating with 
probability f2(e^). 

• (Sealing) When Alice challenges Bob to return the de- 
posited qubit, then if Bob can predict b with advantage 
e then he is detected cheating with probability Q{e'^). 

Protocol n and Theorem ^ do not achieve the goal set in 
definitionTll of weak bit commitment. Definition hi asks for 
a protocol that is both binding and sealing, i.e., a commit- 
ment s.t. if either player cheats he is detected cheating with 
a good probability. Protocol |l] and Theorem |l] only give a 
commitment that is either binding (if Alice has to reveal) or 

^ This means that when Bob gets the qubit qt that is sup- 
posed to carry a classical value for b, Bob measures qi, first 



sealing (if Bob has to return the qubit), but not simultane- 
ously both. We therefore call this protocol a bit escrow pro- 
tocol. The question of achieving simultaneous binding and 
sealing i.e. a weak bit commitment protocol, is left open. 
This question was addressed in who independently de- 
fined the bind ing and sealing properties, and we discuss it 
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in section 

We describe soon how to use the first two properties in The- 
orem |l| to get a biased coin flipping protocol with a constant 
bias. 

1.1 Quantum Coin flipping 

Alice and Bob are going through a divorce. They want to 
decide by a coin flip over the phone who is going to keep the 
car. The problem is that they do not trust each other any 
more. 

Definition 2. (Classical coin flipping) ^ A coin flip- 
ping protocol with 5 bias is one where Alice and Bob com- 
municate and finally decide on a value c G {0, 1} s.t. if at 
least one of the players is honest then for any strategy of the 
dishonest player Prob{c — 0) £ — S, ^ + S] . 



in the {jo), 11)} basis, 
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We carry this convention throughout 



Classical coin flipping can be implemented either by a 
trusted party or by assuming players with limited compu- 
tational power and some cryptographic assumptions. How- 
ever, if the players have unlimited computational power then 
no coin flipping protocol is possible in a classical world. This 
is because any protocol represents a two player game, and 
therefore game theory tells us that there is a player with an 
always winning strategy. 

By contrast, in the quantum setting coin flipping (without 
computational assumptions) is not a priori ruled out. This is 
because any attempt by a player to measure extra informa- 
tion by deviating from the protocol can disturb the quantum 
state, and therefore be detected by the otherplayer. This 
leads Lo and Chau[^ and later Mayers et. a/. Q to consider 
quantum coin flipping. There are several ways to define 
quantum coin flipping when cheaters can be detected. We 
define: 

Definition 3. (quantum coin flipping) A quantum coin 
flipping protocol with bias 5 is one where Alice and Bob com- 
municate and finally each decides on a value c € {0, 1, err}. 
Let ca (cb) denote Alice's (Bob's) result. We require: 

• // both players are honest then ca always equals cb, 
Prob{cA ~ err) — 0, and and 1 have equal probabil- 
ity: Prob{cA = 0) = Prob{cA = 1) = i. 

• // one of the players is honest and the other is not, 
then for any strategy of the dishonest player, the honest 
player's result c satisfies for any b £ {0, 1}; 

Prob{c = fe) < i + <5 

Lo and Chan [^] showed that there is no quantum coin flip- 
ping protocol with bias, under a certain restriction ("ideal 
coin flipping".) Mayers et al Q generalized their proof to 
the general bias case. Lo and Chau leave open the ques- 
tion whether non-exact protocols exist. Mayers et al |0] 
suggest a quantum coin flipping protocol that is based on a 
biased-coin protocol that is repeated many times. Mayers 
et al prove that it works well against some strong, natural 



attacks. However, no general proof is given or claimed for 
the coin-flipping protocol or the biased-coin sub-protocol. 
We give a simple protocol for quantum biased coin flipping, 
with constant bias. It is a modiflcation of protocol |l[ 

Protocol 2. (A biased coin flipping protocol) 

• Alice picks b, x £r {0, 1} and sends Bob <j)b x- We set 

e = i. 

• Bob chooses b' £r {0, 1} and sends it to Alice. 

• Alice sends Bob b and x. Bob checks against the qubit 
she sent in the first step. The result of the game is 
r — err if Alice is caught cheating and r = 6 © 6' 
otherwise. 

Based on the properties of protocol |^ we can prove that no 
player can fully control the game: 

Theorem 2. Protocol^ has S < 0.42 bias. 

i.e., no player can force his result with probability greater 
than 0.92. We note that while our protocol is resilient 
against all powerful malicious quantum players, it requires 
only simple single qubit operations from the honest player. 
An intriguing question is whether quantum coin flipping pro- 
tocols are possible for arbitrarily low biases. 

1.2 Weak Bit Commitment? 

Hardy and Kent (see Section noticed that Protocol ^ 
can be used to give a weak bit commitment protocol if Alice 
and Bob can access a random independent coin flip. This 
is done as follows: at revealing time Alice first reveals the 
bit 6, and then they receive a random independent coin flip. 
If the coin is 0, Bob is challenged to convince Alice that he 
hasn't been cheating, and if the coin flip turns out to be 1, 
then Alice is challenged. This is still correct if the coin flip 
is biased, as long as both probabilities for and for 1 are 
constant. 

Since we already have a biased coin flipping protocol, we 
might consider using this biased coin flipping protocol com- 
bined with the bit escrow protocol to give a weak bit com- 
mitment protocol. Consider the following protocol (see Fig- 



Protocol 3. To deposit bit b, Alice picks a random 
X £ {0, 1}, and sends (j) = </!>(,, ^ to Bob. To reveal the bit, 
Alice sends b to Bob. Then a biased-coin flipping protocol 
(Protocol H; is played. 

• // Alice loses she is asked to reveal x and Bob measures 
(f> according to the basis {4>o,x, 4'i,x} and verifies that 
the result of the measurement is <j)b,x . 

• // Bob loses he is asked to return the deposited qubit 
q, and Alice measures it in the {<f>o,x,(f>i,x} basis and 
verifies that it is 4>b,x. 

It is left as an open question whether this protocol, or per- 
haps a protocol which uses a different coin flipping proce- 
dure, is actually a weak bit commitment protocol. The main 
difficulty in proving or disproving such a result is the issue of 
independence between the coin flipping protocol and the bit 
escrow protocol. In other words, one has to prove that the 
cheater cannot use entanglement to correlate the events of 



Alice 
b,x 



Bob 



q=phi_b^>: 



c,x 



Inactive 



phi_(c,x_0) 



c,x 



c=c'? 



c \neq c' 



Verify q=plii_b,x Verify q=phi_b.x 

Figure 2: Protocol || 



being detected cheating in the bit-escrow protocol and win- 
ning the biased coin flipping protocol, in such a way that 
the cheater is never challenged when he (or she) has posi- 
tive probability of being detected. 

It is our hope that our techniques could be extended to 
give weak bit commitment with f2(e'^) binding and sealine 
for some constant c. Our results also show that Protocol |3| 
cannot be more than 0,{e^) sealing or binding. It might be 
interesting to flnd a protocol that does better, or prove that 
such a protocol does not exist. It seems that a weak bit 
commitment protocol with better than quadratic security 
parameters can be used repeatedly to give a secure coin 
flipping protocol with unbounded bias. 

1.3 Related Work 

Some of the work presented here was independently done by 
Hardy and Kent |H]. They independently defined the bind- 
ing and sealing properties and the weak bit commitment 
primitive (giving it different names). The protocol they an- 
alyze is similar in structure to protocol ^. Hardy and Kent's 
result asserts that a protocol similar to Protocol ^ is simul- 
taneously sealing and binding. I.e., if Alice (Bob) uses a 
strategy that gives her (him) e advantage, then Alice (Bob) 
is detected cheating with some probability which is strictly 
greater than (they do not analyze the dependence of the 
detection probability on e). However, no proof is given re- 
garding the security against a cheater who tries to correlate 
the two parts of the protocol to his (or her) advantage. 

2. PRELIMINARIES 

The model. Let {ei, . . . , 62"} be an orthonormal basis for 
C", and let \i) = ... be the vector d. A pure state 



over n qubits is a vector v £ <C^ of norm 1. Any pure 
state \v) can be expressed as = Eiai|i), with Ei|aip = 1. 
A mixed state is a classical distribution over pure states, 
{pi, 4>i}i where < Pi < 1, Tiipt = 1 and ipi is a pure state, 
and the interpretation we give it is that the system is with 
probability pi in the pure state 0;. A quantum system is, 
in general, in a mixed state. The system Alice builds in 
the first stage of Protocol ^ is in a mixed state that is with 
probability | in some pure state 4>b,x- 

A quantum system can undergo two basic operations; uni- 
tary evolution and measurement. 

Unitary evolution : If a unitary transformation U : 
(D^ I— > (D^ is applied to a pure state </>, then the 
new state of the system is the pure state U4>. If (7 is 
applied to the mixture {pi,(f)i\ then the new state of 
the system is the mixture {pi,U(f)i}. The interpreta- 
tion we give it is that with probability pi the system 
was in the pure state 4>i hence it is now in the pure 
state U(j>i. 

Orthogonal Measurements : An orthogonal measure- 
ment is a decomposition of the system into orthogo- 
nal subspaces. More formally, suppose the system is 
in a super position € . Suppose Hi,... ,Hk 
axe orthogonal subspaces, and (D^ = Hi © ... © Ti.k- 
A measurement of (ji according to the decomposition 
TCi,... ,TLk, will get result i (or Hi) with proba- 
bility Qi = IHt^. where Tl-Hi is the projection 
on subspace Hi, and then the state will collapse to 
-i=n7i. 10). In other words, falls into the subspace 
Hi with probability which is the length of the projec- 
tion squared, and the new vector is the normalized 
projected vector. An orthogonal measurement can 
be represented using an Hermitian matrix M whose 
eigenspaces are the subspaces Hi. A measurement of 
a mixture is the mixture of the measurements of the 
pure states. 

Given a system p on (D^ , one can use an ancilla, say 
|0, ... ,0) £ , apply a unitary transformation U : 

<C^ 1-^ (D^ ® (D^ , and then an orthogonal mea- 
surement on (D^ (8) . It turns out that this is the most 
general measurement possible. There are several equivalent 
ways to formulate this so called 'generalized measurement', 
and we refer the interested reader to |^ . 

The Density Matrix. The density matrix of a pure state 
10) is the matrix \(p}{(f)\, where {(f>\ — ((0)*)* is the conjugate 
transpose of (f). For example, the density matrix of 00,0 is 

f cos2(e) - cos(e) sin(e) \ 
\^-'>)(^-^\= I, -cos(e)sin(0) sin\6) ) 

The density matrix of a mixed state {pi, 0i} is EiPi|0i) (0i| . 
All density matrices are Hermitian, positive semi-definite 
and have trace 1. If a unitary matrix U operates on the 
system, it transforms the density matrix ptoU pU'' . A mea- 
surement M operating on a system whose density matrix is 
p results in an expected outcome Trace{Mp). 

Distinguishing Between Density Matrices. Given a 
quantum system p and a generalized measurement O on 
it, let p^ denote the classical distribution on the possible 



results that we get by measuring p according to O. i.e., it is 
some classical distribution pi, . . ■ ,Pk where we get result i 
with probability pi. Given two different mixed states, we can 
ask how well one can distinguish between the two mixtures. 
We need a measure for the distance between two classical 
distributions and we choose the h norm: 

Definition 4. Letpi,... ,pk andqi,... ,qk be two prob- 
ability distributions over {!,... , fc}. Then \p — q\i — Ei|pi — 
<li\- 

A fundamental theorem about distinguishing density matri- 
ces tells us: 

Theorem 3. ^ Let pi,p2 be two density matrices on the 
same space H. Then for any generalized measurement O 

|pf -P?|i <rrace(VItl) 

where A = pi — p2. Furthermore, the bound is tight, and 
the orthogonal measurement O that projects a state on the 
eigenvectors of pi — p2 achieves this bound. 

Theorem |^ shows that the density matrix captures all the 
accessible information that a quantum state contains. If 
two different mixtures have the same density matrix (which 
is quite possible) then physically they are two different sys- 
tems, but practically (and from a computational point of 
view) they are indistinguishable. 

The quantity Trace{V A"! A) is of independent interest. If 
we define ||A||t — Trace{V A'' A) then ||-||t defines a norm, 
and has some additional properties such as ||j4®i3||t = 
ll^llt ■ ||-B||t, ll^llt = 1 for any density matrix A and 
||ylB||t, < \\A\\t ■ \\B\\t. If 01,02 are two pure 

states, and pi is the reduced density matrix of 0i, then 
||po — pill* = 2\/l — |(0i|02)P. See |l| for more details. 

Locality. We now turn to the local view of a subsystem. 
Suppose we are in a mixed state p over k + m qubits, where 
Alice holds the first k qubits A and Bob holds the last m 
qubits B. Assume that Alice applies a generalized measure- 
ment O on her qubits A. This induces a new density matrix 
pg on B. E.g., if Alice and Bob were in the super position 
— -ijdOO) -I- 1 11)) over two qubits and Alice measured the 
second qubit according to the basis {|0), |1)}, then Bob is 
with probability | in the super position |0) and with prob- 
ability i in 1 1) , hence Pb = q i ^ ■ A fundamental 

fact from physics, which can also be proven rigorously, tells 
us that in fact p§ does not depend on O, but only on the 
original matrix p. We thus denote it by pjs, and call it the 
density matrix p reduced onto the subsystem B. Alterna- 
tively, we say that the rest of the system is traced out. The 
physical interpretation of the above result is that a player is 
guaranteed locality, i.e., a player Bob who holds a subsys- 
tem B knows that the results he gets from measurements he 
applies on B do not depend on the way the system outside 
B evolves. It is also some kind of commitment. If Alice 
sends Bob k qubits that have reduced density matrix ps, 
then whatever Alice later does can not change this reduced 
density matrix. 

Purification. A density matrix on a Hilbert space A can 
always be viewed as a reduced density matrix of a pure state 



on a larger Hilbert space, a process which is called "purifi- 
cation". A pure state \<j>)A,B is a purification of the density 
matrix pA if the reduced density matrix of \(t>){(j>\A,B to the 
Hilbert space A is p. The most straight forward way to 
purify a density matrix p = 'Yl,i'^i\4'i){4'i\ is by the state 

\4>) =Y.^V^\i) ®\<t>^)- 

Fidelity. 

The fidelity is a way to measure distances between density 
matrices, which is an alternative to the trace metric. Given 
two density matrices po, pi on the same Hilbert space A the 
fidelity is defined Q to be: 

./■(Po,Pi) = sup|(<;/)oj0i)l^ (1) 

where the supremum is taken over all purifications of po 
and l^i) of pi to the same dimensional Hilbert space. We 
note here a few important properties which can easily be 
proven: 

1- 0</(po,pi)<l 

2- /(po,Pi) = 1 <^ Po = Pi 

3. For po which is a pure state, i.e. po = \(f)o){4>o\, we 
have 

f{po,pi) = (^olpil^o)- 

Note that the fidelity increases as the distance between two 
density matrices decreases. It is also not too difficult to see 
that the supremum is always achieved, i.e. we can replace 
the supremum by a maximum; See Q for more details. 

Entanglement. Suppose Alice holds a register A, Bob 
holds B, and the system is in a pure state V'/is- If we look 
at Bob's system alone then we might see a mixed state, and 
as we said before, Alice can not change the reduced density 
matrix of Bob by local operations on her side. On the other 
hand Alice might gain different aspects of knowledge on the 
actual result that Bob gets. 

Example 1. t/jais = ^(|00) + |11)). If Alice measures m 
the {|0), |1)} basis, then Bob's system is with probability half 
in the state |0), and with probability half in the state |1), and 
the register A reflects the result Bob gets, i.e., Alice knows 
whether Bob gets a zero or a one. Now, %I)ab can also be rep- 
resented as 75(1+,+} + I-,-)) where |+) = ^(|0) + |1)) 
and |— ) = -^(10) — Alice can measure the register A 

in the {|+), |— )} basis. Now Bob's system is with probabil- 
ity i in the state 1+), and with probability half in the state 
|— ), and the register A reflects the result Bob gets, i.e., Al- 
ice knows whether Bob gets |+) or |— ). Notice that Bob's 
reduced density matrix is the same in both cases. 

An important Theorem by Mayers and independently Lo 
and Chau |Q states: 

Theorem 4. Suppose the reduced density matrix of B is 
the same in (j)AB and ipAB. Then Alice can move from (j>AB 
to ijjAB by applying a local transformation on her side. 

I.e., even though Alice can not change Bob's reduced density 
matrix, she can determine how to "open" the mixture, and 
do so in a way that gives her full knowledge of Bob's result. 



3. THE BINDING PROPERTY 

In Protocol |l| Alice sends a qubit to Bob (we call it a "de- 
posit" step) and later on she tells Bob how to "open" the 
qubit (the "reveal" step) which also determines the value 
that is supposed to be in the qubit. Such a protocol is 
worthless unless the deposit step is "binding" Alice to a 
pre-determined value. We first define the binding property 
in a general way. We then analyze how binding Protocol □ 
is. Suppose we have a two step protocol: 

Deposit : Alice prepares a super-position tpAB with two 
quantum registers A and B. Alice sends the second 
register B to Bob. 

Reveal : Alice and Bob communicate. Bob follows the 
protocol and Alice is arbitrary. If Alice wants to create 
a bias towards she uses one strategy, and if she wants 
a bias towards 1 she uses a different strategy. Bob 
decides on a result rs G {0, 1, err}. 

Let us denote by po the probability that Alice claims the re- 
sult is in the zero strategy, by pi the probability that Alice 
claims the result is 1 in the zero strategy, and by perr the 
probability that Bob decides the answer is rs = err when 
Alice uses the zero strategy. We similarly define go , 9i , Qerr 
for the one strategy. 

Definition 5. ^e, 7) binding) A protocol is (e, 7) bind- 
ing, if whenever Bob is honest, for any strategy Alice uses, 
ifPerr,qerr < £ then |po — go | , ipi — qi \ < 7- 

3.1 Protocol D is quadratically binding 

Theorem 5. Protocol ^ is (e, 7 — ^^^^g^ ) binding. 

Proof, (of Theorem ^) . At deposit time Alice sends Bob 
one qubit B, which might be entangled with the qubits A 
that Alice holds. Let us denote the reduced density matrix 
of B by p. At revealing time, Alice may choose whether 
she wants to bias the result towards 0, in which case she 
applies the generalized measurement Mq, or towards 1 in 
which case she applies Mi. The measurements Mo and Mi 
do not change the reduced density matrix p of Bob, but 
rather give different ways to realize p as a mixture of pure- 
states, and give Alice information about the value that Bob 
actually gets to see in this mixture. 

Now, we even go further and give Alice complete freedom to 
choose the way she realizes the reduced density matrix p of 
Bob as a mixture, and we give her the knowledge of Bob's 
value for free. Let us say that when Alice applies Mo, the 
reduced density matrix p is realized as the mixture {p;, tpi}, 
and when Alice applies Mi the reduced density matrix p is 
realized as the mixture {p'i,(j)'i}. 

Now, let us focus on the zero strategy. Say Alice realizes p 
as {pi,<l)i}. When the i'th event happens, Alice's strategy 
tells her to send some two qubits qb,qx to Bob, that are 
supposed to hold classical 0, 1 values for b and x. Bob then 
measures qb and q^ in the {|0), |1)} basis. Now, if one of 
qb,qx is not a classical bit, then Alice can measure it herself 
in the {|0), |1)} basis, and get a mixture over classical bits. 
Furthermore, we can push all the probabilistic decisions into 
the mixture {pi,(l)i}. Thus, w.l.o.g, we can assume Alice's 
answers qi, and qx are classical bits that are determined by 
the event i. Let us denote by Ui the vector 4'bi,xi where bi,Xi 



are Alice's answers when event i occurs. W.l.o.g we may 
assume Ui £ {4'b,x}, otherwise we know Bob immediately 
rejects. 

The probability Bob discovers that Alice is cheating is then 
1 — and the overall probability Bob detects Alice 

is cheating is 

Per,- = T.iPi{l — \{(t>i\Ui)\'^) 

Let us define the density matrix po = T.iPi\ui){ui\. 
Claim 6. \\p — po\\t < l^p^rr- 



Proof. \\\<\)i){(i>i\-\ui){ui\\\t = 2^/1 - |(0i|iti)| 
Therefore 



llp-P()llt 



llS.p#,){<?!..l 



EiPilui){uil 
\ui){ui\ lit 



Now, by Cauchy-Schwartz inequality, 



< VS;pI\/E,p,(l-|{</>,ju,)P) 

— \/ Perr 

and the claim follows. □ 

Similarly, if Alice tries to bias the result towards 1, B 
ends up in the mixture {p'i,4>'i}, and when cfy'^ occurs Al- 
ice sends b' ,x' to Bob that correspond to a vector u[ £ 
{06, a;}- We define pi to be the reduced density matrix 
pi = Ylip'i\u'i) {u'i\. As before, \\p — p-i_\\t < l^q^rr- Hence, 

IIPO — P\\\t < 2{^Perr + i/^err). 

To conclude the proof, we establish the following claim: 

Claim 7. Let po and pi be density matrices correspond- 
ing to mixtures over {(pt.x}- Let po be the probability of 
cj)o,o or (/>o,i in the first mixture, and pi — 1 — po be 
the probability of (/)i,o or Similarly let qo and qi be 

the corresponding quantities for the second mixture. Then 
\\po — pi\\t > 2 • jpo — go| cos 26*. 

Proof. We show that we can distinguish the mixtures 
with probability at least \pu — qo \ cos2S when we measure 
them according to the basis {|0), If we do the measure- 
ment on a qubit whose state is the reduced density matrix po 
we get the 1 0) answer with probability po cos^ {9)+pi sin^ (6^) , 
while if we do the measurement on a qubit whose state is the 
reduced density matrix pi we get the |0) answer with prob- 
ability 50 cos^(0) -I- qi sin^(S). The difference is |po cos^(6') + 
pi sin'' (0) - (gocos2(e) + gisin2(6'))l = \po - qo\{cos^{e) - 
sin^(6')), where we usedpi-gi = (1-po) - (1-go) = qo-po- 
Altogether we get I Ipo — pi I |t > 2-|po — go|(cos^(0)— sin^(&)) 
as desired. □ 

Putting it together: 

2-cos(26l)-ipo — i7o| < \\pi — pi\\t < 2{^/p^+^/q^) < 4^ 
I.e., |po -go| < 



3.2 A Quadratic Strategy for Alice 

We now show that Alice has a quadratic strategy for Pro- 
tocol ^, and thus Theorem |^ is essentially tight. In fact, 
we show the quadratic bound for a more general family of 
protocols. Let po,pi be two density matrices of the same 
dimension, po can be realized as the mixture {p°, and 
pi as {pi, laj)}. To encode b, honest Alice picks la^) with 
probability pi and sends it to Bob. At revealing time Al- 
ice sends b and i to Bob, and Bob tests whether Alice is 
cheating by projecting his state on |Qi). 

Theorem 8. Let f be the fidelity f(po,pi). For any 
< a < 7r/4 there exists a strategy for Alice with ad- 
vantage ^/Jsin{2a) /2 and probability of detection at most 

(l-f)3in^(cy) 
2 

On first reading of the next proof the reader might want to 
check the proof in the simpler case where po and pi represent 
pure states, i.e., pt — liljt) {ipb\- 

Proof. We first represent the strategy of a honest Al- 
ice in quantum language. Consider two maximally paral- 
lel purifications \tpo) and \tpi) of po and pi, where po and 
pi are density matrices of the register B, and the purifica- 
tions are states on a larger Ifilbert space A (gi B. By Q, 
I (V'ol'/'i) P = /(po,pi). At preparation time, Alice prepares 
the state 



W) = 



-^{\0,i>o) + \l,i'i)) 



on A(g)_B and one extra qubit C. Alice then sends the register 
B to Bob. At revealing time, Alice measures the qubit C in 
the |0), |1) basis, to get a bit b. The state of registers A,B 
is now \ipb)- Alice then applies a unitary transformation Ub 
on register A, which rotates her state \tpt) to the state 



This is possible by Theorem ^. After applying Ub, Alice 
measures register A in the computational basis and sends 
Bob the bit b and the outcome of the second measurement, 
j. This strategy is similar to the honest strategy, except for 
that Alice does not know what bit and state is sent until 
revealing time. 

We can also assume w.l.o.g. that the maximally parallel 
purifications satisfy that {^po\tpi) is real and positive. This 
can be assumed since otherwise we could multiply \t/}o} by an 
overall phase without changing the reduced density matrix 
and the absolute value of the inner product. 
To cheat, Alice creates the encoding \I3}cab and sends regis- 
ter B to Bob. Alice's one strategy is also as described above. 
The zero strategy, on the other hand, is a slight modification 
of the honest strategy. At revealing time, Alice measures the 
control qubit C in the |<^i)} basis, where 



Iflic) = c\0) + s\l), 

= -6-|0)+c|l), 



(2) 



and s = sin(a), c = cos(q). If the outcome is a projection on 
\(jia} Alice sends & = and proceeds according to the & = 
honest protocol, i.e. applies Uo to register A, measures in 
the computational basis and sends the result to Bob. If the 
outcome is a projection on \4>a), Alice proceeds according 



to the b — 1 honest protocol. Let us now compute Alice's 
advantage and Alice's probability of getting caught cheating. 
We can express |/3) as: 

\P) = ;^(c|0c«,i/'o) - s|<;/>i,V'o)) + 

-^(sl^Q,!/)!) + c\<f)i,il)i)). 

Hence, the probability Alice sends & = in the zero strategy 
is ilcV'o + s^il^ = i(c2 + s^ + 2cs{i/'o|i/'i)) = i(l + 2cs^/7). 
We conclude: 



Claim 9. Alice's advantage is 



v7sin(2Q) 



We now prove that the detection probability is at most 
{1 — f)s^. The state oi A^B conditioned that the first mea- 



surement yields Icha) can be written as , 

s\ipi)) where Pr{b = 0) is the probability Alice sends 6 = 
in the zero strategy. The above state can be written as 



^Pr{b = 0)V2 

The rest of the protocol involves Alice's rotation of the state 
by Uo, then Alice's measurement of the register A and Bob's 
measurement of the register B. The entire process can be 
treated as a generalized measurement on this state, where 
this measurement is a projection onto one of two subspaces, 
the "cheating Alice" and the "Honest Alice" subspaces. We 
know that \^o} lies entirely in the honest Alice subspace, 
and thus the probability that Alice is caught, conditioned 
that C was projected on (jja, is at most p^j-^-q) ~ Z)*^- 
In the same way, when we condition on a projection on 0^, 
Ahce's state can be written as , -^((e— \/~fs)\thi) — 



y/\ — /s|'!/Ji )). which gives a probability of detection which 
is at most p^^^^j^j ^(1 — f)s^ . Adding the conditional prob- 
abilities together we get that the detection probability is at 
most ii^l^. □ 



Proof. We first describe a general scenario. Alice is hon- 
est and sends \4>b,7:)A to Bob. Bob has an ancilla |0)c- Bob 
applies some unitary transformation U acting on the regis- 
ters A and C. Let us denote 

\ctb,x) = U{\4)b,x,G) Ac) 

Bob then sends register A to Alice, and keeps register C to 
himself. We want to show that if C contains much informa- 
tion about b then Alice detects Bob cheating with a good 
probability. 

We can express ab.x as a superposition, 



\oib,x) 



h.x, 'Wb,x) + 10^b,a;, ^fti.a;) 



(3) 



where we have used the basis \<j)b,x}, \4'^b,x), for A. In this 
representation, the probability p Bob is caught cheating is: 



1^6.,- 



(4) 



which in particular implies that Hf^ji^j;!! < 2yfp. 
We now want to express Bob's advantage. Let po (pi) be 
the reduced density matrix of the register B conditioned on 
the event that 6 = (& = 1). Then, 



(5) 



Bob's advantage is at most the trace dis- 
tance between po and pi, and we want to 
bound it from above. Triangle inequality gives: 

IPO — Pl||t < |( |||wO,o){™0,o| — |'!i'l,l)(w)l,l|||t + 

lliW0,l)(W0,l| - |™l,o)(wi,o|||t + J2b,x \Wb:x){'w'b,x\\\t ). 

As the trace norm of two pure states a and b is 
2\/l — I (ajb) P, and using Equation 0, we get: 



Po — pi||t < \/l — |(wo,o|i"i,i)P + 



\/l — |(™o,i|™i,o)p + 2p 



We now claim; 



4. THE SEALING PROPERTY 

Definition 6. ({e,p) sealing) A bit escrow protocol is 
{e,p) sealing, if whenever AUce is honest and deposits a bit b 
s.t. Prob{b = 0) = |, for any strategy Bob uses and a value 
c Bob learns, it holds that either 

• Pr6g^{o,i},protoco! (c = 6) < | + £, or 

• Pr6g^{o,i},protoco! ('"A = crr) > p 

The probability is taken over b taken uniformly from {0, 1} 
and the protocol. 

We show here that protocol |l| is quadratically sealing. This 
means that whatever Bob does, he will always be detected 
cheating with probability which is at least the square of his 
advantage. Later, we show that this is tight. 

4.1 Protocol J] is Quadratically Sealing 

Theorem 10. Protocol^ is {e ^ 0{-^r^^),p) sealing. 



Lemma 11. |{wo.o|wi.i)l , l(«;o,ilwi,o)l > 1 - 
0{ctg^{2e) +4)p. 

Thus, altogether, ||po — pi||t < 0{ctg{29)^) which com- 
pletes the proof. □ 

We now turn to the proof of Lemma |l^. 

Proof, (of Lemma). 
We will prove that all the unprimed w vectors lie in one 
bunch of small width, using the unitarity of U . The unitar- 
ity of U implies that {(j>b.x\'kb' ,x') ~ {cib,x\ctb' ,x') ■ We can 
express ab,x as in Equation pi We get: 

{4'b,x\4>b' .x') = {(l>b,x\4>b',x'){Wb,x\Wt',x') + 
{'l>b,x\(p^b' ,x'){Wb,x\w'b, _^/) + 

{(l}^b,x\4'b',x'){w'b,x\Wb',x') + 
{(l)^b,x\4'^b' ,x'){'w'b,x\lJj't> ^^') 

Substituting the values b,x,b',x' for actual values, and 
noticing that \{w'i, .^\w'bi < 4p, we in particular get the 
following equations: 



{'Wb^x\Wb,x) =4p 1 (6) 

{wo,o\w'i^o) + («'o,ol«'i.o) = (7) 
(wo,i|wi,i) + (ti)o,i|«)i,i) = (8) 



(wi,o|™l,l) - (Wl,ol™l,l) =4cp/s ~(1 ^ (™l,o|™i,l)) (9) 

{W0,l\w'ifi) + (wo_i|wi,o) =4sp/c ^(1 - (lKO,l|lKl,o)) (10) 

(wo,o|™i,i) - (™o,ol™i.i) =4sp/c ~(1 ^ (™o,o|™i,i)) (11) 

{f«o,ol™o,i) - (mo,o|m('),i) =4cp/s -(1 - {ifo,o|ifo,i)) (12) 



where c = cos(2S), s = sin(2S) and we write x —q y if 
I2; — 2/1 < g. A partial result can already be derived from 
what we have so far. By equation ^, we note that the length 
of the primed w vectors is at most Inserting this to 

equations O and pl|, we get that |{wo,o|wi4)| and similarly 
\{wo,i\wi^())\ are close to 1 up to terms of order y/Jj. This 
is a weaker than the result which we want to achieve in 
lemma |l^, which is closeness to 1 up to order p terms. If 
we stop here, the closeness of the unprimed w vectors up to 
order implies that Bob's information is at most of the 
order of ^y^. Note, however, that so far all we have used is 
unitarity, and we have not used the particular properties of 
the set of vectors we use in the protocol. In the rest of the 
proof, we will use the symmetry in protocol ^ to improve on 
this partial result, and to show that Bob's information is at 
most of the order of ^/p. Basically, the symmetry which we 
will use is the fact that the vectors in the protocol can be 
paired into orthogonal vectors. 

We proceed as follows. The idea is to express equations ^ 
as inequalities involving only the distances between two 
w vectors, \\wb,x — Wb^x'W and then to solve the set of the 
four inequalities to give an upper bound on the pairwise 
distances. This will imply a bound on the inner products, 
{wt^x\wi,i ^x') , by the following connection; 

ll™b,x-™b' x' 



Claim 12. 1 — Re{{wb.x\wi,\x')) > 
where Re{z) denotes the real part of the complex number z. 

Proof. \\wb,x — Wb'.x'W^ = {ifb,x — Wb' ^x'lwb^x — Wb' .x') < 
2-2Re{{wb,x\wb>,x')). □ 

We denote: 



Expressing the left hand side of the equations in terms of 
a, b, c and d might look a bit more complicated, and this is 
where we invoke the symmetric properties of the protocol, 
namely equations |^ and ^. 

Claim 14. Re{LH S) < 4^{a + b + c + d) 

Proof. We first look at the LHS of Equation ^ + Equa- 
tion |l^. By adding {wo,i|wi,i) + (woi|uii,i) = (due 
to Equation ^ and by using the fact that Re{{a\f3)) = 
Re{{P\a)) we get that the LHS of these two equations con- 
tributes _Re((wo,o|wo,i — wi.i) -I- i?e((wo^i|«;i,i — luo.o) + 
7?e({wi_i|wo,i - ■!^o,o) < 2y^(c + d) + 2Jpb + 2^a. 
Similarly, the LHS of Equation 4-Equation ^ 
is i?e((w;i_ol™o,i — + -Re((«'o,il«'i,o — ™i,i) + 

i?e({u;'i_i|u)i,o — wo^i) < 2^{a + b -I- d -I- c). 
Ahogether, Re{LHS) < 4^(a + b + c + d). □ 

Combining Claims ^ and O with our knowledge that 
Re{RHS) < Re{LHS) + ^ + ^ we get: 

^y+d^) + ^^ib^ + c^)< 

. ^/ , ,N Sep 8sp 

4^/p(a + f) + c + dH - 

s c 

We want to show that a, b, c, d are all of the order of ^Jp. 
Define A = a + b + c + d. ForO<6l<f, ctg{2e) > tg{2e). 
Since all terms in the left hand side are positive, we have for 
each of a, b, c, d an upper bound in terms of A: 



2 1 2 2 ,2 
a ,0 , c ,d 



8A^ ^ ^^^^^ ^ ^c,2, 



s/c 



16p(l + (- 



Thus, A = a + b + c + d< 4^^^ + ^ 
Solving the quadratic equation 

A 2 2^ VP- A 



2'p 



< 



for A we get 



A < 132 ■ ^ ■ ctg{26) 



Finally, 



Kioo.olwi.i)! > \Re{{wQA-)\wiA))\ 



l|2 I II ||2 7,2 



2 - 6^ - Bp 



a = \\wo,o - Wo, ill 
6 = 11^0,0 - 

C — \\W0A — Wl^o\\ 

d = ||uii,o - 

Let LHS (RHS) he the sum of the left (right) hand side of 
the last four equations. 

Claim 13. Re{RHS) > ^(a^ + d^) + ^(6^ + c"). 

Proof. 

Re{RHS) = -(2-i?e((wo.oko.i))-i?e({™i,oki.i))) 
s 

+ -(2 - -Re({'u;o,o|i"i,i)) - -Re({K;o,i|wi,o))) 
and now we can apply claim |l^. □ 



> 1- {2^^ctg'^{2e) +A)p 

where the third inequality is true due to equation H. Simi- 
larly, we have the same lower bound for |{?i)o,il™i,o)|, which 
implies lemma ^ 

Thus, our bit escrow protocol gives quadratic sealing. 

Remark 1. Protocol is sealing even if we modify it a 
little bit, as follows: at revealing time Alice first reveals b 
and then Bob returns the qubit q. In other words, if Bob has 
learned e information about b after the deposit stage, then 
even if later on he gets to know b, he cannot avoid being 
detected with probability f2(e^). To see this, we use linearity. 
If Bob has a strategy which gives him detection probability p 
in the modified protocol, then w.l.o.g. his strategy is to apply 
the identity if b = and some unitary operation U i/6 = 1. 



However, since the h = l,x = G and b = l,x = 1 cases are 
linear combinations of the 6 = 0, a; = and b = 0,x = 1 
cases, one can show that if Boh 's probability for detection is 
p in the 6 = case, then it is also 0{p) in the b — 1 case, 
and therefore Bob does not have to apply U in the first place. 
This means that if he has a cheating strategy for the modified 
protocol, then he also has a cheating strategy with about the 
same parameters for protocol [J, and so by Theorem the 
modified protocol is also quadratically secure. 

Remark 2. One might suspect that this quadratic gap 
will always he the case for any reasonable set of vectors for 
Alice. This is not correct. If Alice only uses <j>o,i and 4>i,o, 
then Bob has a strategy which gives him ^y/p advantage. We 
will not elaborate on this in this paper. 

4.2 A Quadratic Strategy for Bob 

Theorem 15. Let po,pi be two density matrices of the 
same dimension, such that ||po — Pi||t ~ t. Consider the 
following protocol. Alice tosses a random bit b. She chooses 
a pure state from the mixture pb, and sends it to Bob. Then 
Bob returns to Alice the state, and Alice projects it on the 
original state to test whether Bob has manipulated it. We 
claim that for any 1 > p > 0, there is a strategy for Bob such 
that he learns b with advantage t^pp, and his probability of 
detection is at most |(1 — ^/^ — p), which is &{p) for small 
P- 

proof: Alice prepares an encoding tpi, oib G {0, 1} in register 
B, and sends register B to Bob. Let pt be the reduced den- 
sity matrix of tpt to register B. We denote t = \\po — pi\\t. 
By Theorem |^ we know that if Bob is interested in learn- 
ing information about b, and is not concerned with being 
detected cheating, the best he can do is a measurement 
according to the eigenvalue basis of po — pi. Given, any 
< J5 < 1 we modify this strategy to a strategy where the 
detection probability is at most p, and yet. Bob gets much 
information. 

Let us consider more precisely Bob's best strategy for 
learning b if he is not concerned with being caught. Let 
{ei, . . . be the eigenvector basis of po — pi. Let 

{V~) be the set of eigenvectors e with non- negative (neg- 
ative) eigenvalues. The measurement M is defined by the 
Hermitian matrix for which is an eigenspace of eigen- 
value and V~ is an eigenspace of eigenvalue 1. By Theo- 
rem ^ 

\Trace{poM) ~ Trace{piM)\ = | (13) 

To apply a weak form of the measurement M, Bob takes a 
one qubit ancilla C. He applies a unitary transformation U 
on the received message and the ancilla, as follows: 

' ' ' \ \e) (gi\v) li eeV 

where \v) = -^1 — pjO) + y/p\l} and U is completed to a uni- 
tary transformation. After applying U Bob returns register 
B to Alice, and keeps the ancilla C for himself. Notice that 
the special case p = 1 is equivalent to the measurement M. 

Lemma 16. \\Upo\c - Upi\c\\t ^ t^. 

Proof. We will show 



Claim 17. 

Upo\c = Trace{poM)\0){0\ + {1 - Trace{poM))\v) {v\) 
Upi\c = Trace{piM)\0){0\ + {l-Trace{piA4))\v}{v\) 

Thus, Upo\c - Upi\c = (TraceipoM) - 

Trace{piM)){\0){0\ - \v){v\) = ± |(|0)(0J_- \v){v\), 
where the last equality is due to E quation |l3| . Since, 
ll|0){0| = 2Vl-{0k)|2 = 2^ we get 
\\Upo\c — Upi\c\\t = t^ as desired. □ 

We now prove Claim 

Proof, (of Claim |l^). We express po = I]j '"^j|Q^j){Q^ili 
where aj is a pure state. We further express each aj in the 
eigenbasis {e^}: 

Applying f/, this state is taken to: 

!7ia,,0) = ^a+|e+)|0)+^ar,|er)l^) 

The reduced density matrix to the register C, in case of 
event \aj) is: 

and altogether, l7poic = "'j(E>+ I«5ni0)(0| + 
Ej ''"j(Ei_ To complete the proof we just no- 

tice that Ej™j(Ei+ l°-ijP) ~ Trace{poM). The proof for 
U po\c is similar. □ 

We now analyze the error detection probability. 

Lemma 18. Prob{err) < ^(1 — VI ^ p) 

Proof. Say Alice sent Bob the state We can express 
it as \w) = a\w^) -\- b\w~) where 1^^) £ Span{V^) and 
\w~) G Span{y~). Bob applies U on w and gets 

U\w) = ajTO+,0) + 6|to",u) 

= a!TO+,0) ^/l-pb\w~ ,Q) + ^b\w~ ,1) 

Therefore, if we measure the last qubit, then with proba- 
bility ph^ we end up in \w~) and with probability 1 — pb^ 
we end up in a\w^) + -^1 — pb\w^) normalized. Thus the 
density matrix of U\w) after tracing out the last qubit is: 

To find out the probability for Alice not to detect Bob cheat- 
ing, we calculate {w\p\w). We get: 

Pr{-.Err) = \a\'^ + 2\ab\'^ ./T^ + \b\^ 
= l-2|a6|^(l- Vl-P) 
The probability of Alice detecting an error is thus 2|a&p(l- 

^/T^) < l(i-yr^). □ 

Remark 3. The average of \ab\ can tend to 0.5, even 
when t tends to 0. This can be seen by taking po to be com- 
posed of two states which are the basis states |0) and |1) 
rotated by 9 towards each other, whereas pi is the mixture 
of the basis states rotated by 6 outwards. As 6 tends to 0, t 
tends to 0, but \ah\ tend to 0.5. 



5. PROOF OF THEOREM 

We show that no cheater can control the game. 

When Bob cheats : 

Suppose AUce is honest and Bob is arbitrary. Let us 
look at the mixture that AUce generates at the first 
step of Protocol ^ Let pb^o be the density matrix in 
the case b = 0, and Pb=i in the case 6=1. Then 
b^o — P6=i||t = 2cos(20). It follows from Theorem 
that whatever Bob does, the probability that b' = b 
and Bob wins is at most Pr(6' ~ b) < ^ + = 
cos^(&) which for ^ = -I is at most 0.86. 

When Alice cheats : 

Now, suppose Bob is honest and Alice is arbitrary. 



Proti(Alice wins 



X, which is at most 



PO+11 



whereas the probability that Alice loses is at least 
2J-j2fl.. The difference |a:: — (1 — a;)| is at most 
Po-go+gi-Pi < IPo-gol + IPi-gil ^ Ip^j _ gj^i^ - ^ 

l+|po-go 



X < 



[6] , D. Mayers, Unconditionally secure quantum bit com- 
mitment is impossible, Phys. Rev. Lett. 78 pp 3414-3417 
,1997 

[7] D. Mayers and L. Salvail and Y. Chiba-Kohno, Un- 
conditional lv Secure Quantum Coin Tossing, q uant- 
ph/9904078, 1999 

[8] J. Preskill, Lecture notes, 



^ittp: / / www.theory.caltech.edu / people /preskill / ph229 / 



y^jgQ^ Perr+gerr < 1 _ j;^ as whcuBver AllcB Is caught 
cheating she loses. This implies that ^perr + ^/qlrr < 
2\/l — X as the maximum is obtained when p^rr = 

^lerr — 1 X . 

Finally, from the proof of Theorem |^ we have \pq — 
go I < ^^^cos(20 Y^ ■ Putting it all together we get: 

^ < i + |po-go| 



^ 2 + 



2cos(26l) 



< i + ^IEl 

- 2 cos(26l) 
we get the quadratic equation 4x^-|-4a; — 7 < 



For e ■- 



0. Solving it we get x < 



< 0.9143. 
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